Passport Canada’s Security and Intelligence Case Management System (SICMS)

Executive summary

Passport Canada is a Special Operating Agency of the Department of Foreign Affairs and International Trade Canada and its mission is to issue internationally respected passports. Canadian passports are issued in the exercise of the Royal prerogative. Under the Canadian Passport Order (the Order), which can be found at Canadian Passport Order (SI/81-86), the Minister has charged Passport Canada with the authority to issue, refuse, revoke, withhold, recover and monitor the use of passports. The Minister's charge clearly embraces the duty to safeguard the security and integrity of the issuance process, as well as the security, integrity and value to the holder of the Canadian passport. Thus, Passport Canada monitors the passport issuance process and passport use and determines whether the entitlement requirements of the Order are being met or contravened at the time of issuance or at any time during the validity period of the passport.

The passport program as mentioned above is governed by the Order, but also derives from and is informed by the passport application form incorporated by reference into the Order, the International Civil Aviation Organization Standards and Best Practices, the Parliament decision to make it an indictable offence to provide false or misleading information under section 57 of the Criminal Code, and Canada’s international obligations and undertakings under various international Conventions.

The Canadian passport is an official document showing the identity and nationality of the bearer for the purpose of facilitating travel by that person outside Canada. A fundamental and cherished aspect of life in today's global village is the citizen's expectation of being able to travel internationally with a document that is recognized and honoured by other states. The Canadian passport carries the Government of Canada's formal and official request to foreign states to afford free passage and assistance to the bearer while in their territories; it constitutes an act of allegiance on the part of the bearer who presumes the protection of Canada.

All authorities vested in Passport Canada with regard to the "regular" passport govern correspondingly the issuance of other types of passport, such as Diplomatic and Special passports, and other travel documents, such as the Refugee Travel Document issued to persons in Canada with protected–person status, including Convention refugees within the meaning of the United Nations Convention Relating to the Status of Refugees, 1951 and its Protocol of 1967, and persons in need of protection, and the Certificate of Identity issued to persons legally landed in Canada for less than three years who are stateless or who are unable to obtain a national passport for a valid reason.

At all times, the Canadian passport remains the property of the Government of Canada. This is stipulated under the Order and reiterated on page one of the passport booklet. Passports holders are thus required to take every precaution to safeguard it. Improper usage may trigger its recall, and even the initiation of revocation process or limited validity of future passports.

More and more passports are secondary identity documents accepted by federal and provincial ministries and the private sector to prove the identity of Canadians seeking access to goods and services (health care, driver’s licences, employment insurance to name a few). Fraudulent access to genuine secondary identity documents allows for further fraudulent and criminal activities to take place.

As a Special Operating Agency (SOA), Passport Canada fulfills a vital Federal service obligation in delivering Canadian passports to Canadians, certificate of identity to permanent residents, special and diplomatic passports to public service personnel and emergency passport. The unprecedented increase in demand for passports from Canadians is due in part to the Western Hemisphere Travel Initiative (WHTI), but also reflects a general trend toward securing a passport as more Canadians respond to media coverage and increased awareness. At the same time, more stringent and complex security requirements are being required by international standards bodies, as well as Canadian and other border control agencies. In order to meet its operational and service delivery mandate, Passport Canada is required to incorporate various security initiatives into its operations and business model.

Through the passport entitlement process the existing system performs a number of significant steps including a security alert process/review against the System Lookout (SL) list contained in PPTC’s Entitlement System (IRIS). This review is conducted by PPTC’s Security Bureau. PPTCs Security Bureau is responsible for protecting the integrity of the passport issuance process and it recognizes the need to leverage new technologies to more efficiently fulfill its role. The Security and Intelligence Case Management System (SICMS) will not change the handling of personal information in the passport entitlement process, but will automate this alert process as well as many other security functions currently performed manually by authorized PPTC personnel. SICMS will provide the Security Bureau with a systematic tool to manage cases, administer the alert process, and to identify and analyze trends. SICMS will also allow for the assessment and reporting of system performance. SICMS will be a significant step towards improving the security program of PPTC. SICMS will also lead the way to a more comprehensive strategic vision for security of the entitlement function at PPTC.

Some of the information contained in SICMS will be exchanged with other agencies such as Royal Canada Mounted Police, Canadian Security Intelligence Services, Canada Border Services Agency, Department of Justice and Correctional Services Canada. The exchange of information between PPTC and other government departments currently takes place and is in accordance with previously signed sharing agreements between PPTC and these departments, and follows the governance of the Privacy Act. This exchange will not take place through SICMS, as SICMS does not have the capacity to communicate outside PPTC at this time.

Certain personal information collected in SICMS will be contained in the individual files and cases. The personal information collected will not be used or disclosed for any other reason than is stated in the passport application, yet may be disclosed to other agencies in accordance with the Privacy Act. The present retention period on the system will be for 2 years, once the case is closed. Retention schedules must be approved pursuant to Section 12(1) of the Library and Archives Canada Act, which states, “… No record under the control of a government institution may be destroyed without the consent of the Librarian and Archivist of Canada.”

The system is used as a decision support mechanism for either issuing or refusing a passport to an individual. A preliminary threat and risk assessment on the system was completed in November 2008. A number of high–level threats, common to both Passport Canada and the System, were identified. The Privacy Impact Assessment analyzes threats with respect to the protection of personal information contained in the system application.

Of the 51 recommendations from the preliminary threat and risk assessment, 47 are being actioned to reduce the risk to low. In the case of the remaining four, it was determined that it was either not possible or not advantageous to comply. According to the statement of acceptable risk, the maximum acceptable risk for this system is medium, and sufficient mitigation was put in place to bring the four risks down to that level. Should any residual risk be found during the vulnerability assessment, these will be investigated and either mitigated or accepted.

The four risks assessed as medium are as follows.

  1. A security baseline was not applied in building the System.
  2. Risks from the Agency network cannot be determined until Passport Canada performs a certification and accreditation assessment at a later date.
  3. The current user name and password method used to protect the system is not sufficient to reduce risk to low.
  4. Because of the considerable amount of information in the databases, more robust physical safeguards will be implemented around the server room and the system will be in a restricted network zone to protect it from remote attacks. This will bring the risk level to medium.

* Facial recognition is the subject of a separate privacy impact assessment. Once completed, the Executive Summary of the PIA will also be posted on this website.

Privacy Risk Management Plan

1.1. Privacy Risk Mitigation

Since this system will be used as a “decision support mechanism” for either issuing or refusing a passport to an individual, this system is at high risk as it pertains to the confidentiality, integrity and accuracy of personal information.

1.2. Apply security baseline to SICMS

As per section 4 of the Government Security Policy, “Assets must be safeguarded according to baseline security requirements and continuous security risk management.” PPTC does not have an official security baseline for its systems at this time, but uses “best practices” when building systems. These “best practices” allow for the residual risks to be brought down to medium from high. (Medium)

1.2.1. Network and physical certifications for SICMS

A certification and accreditation (C&A) will be completed on the SICMS environment in accordance with section 3.2.3 of PPTC’s IT Security Policy. Accreditation signifies that senior management has authorized the SICMS to be commissioned into production and has accepted the residual risk of operating the system based on the certification evidence and the Threat and Risk Assessment (TRA). The reason the residual risk remains at medium at this time is that, although the SICMS C&A will have been completed, a complete C&A of the PPTC infrastructure will not be completed until 2010. Once the Secure Network Project has been completed, the residual risk can be brought down to low if the results of the C&A warrant it. (Medium)

1.2.2. Formalize and improve SICMS authentication

As per Management Information Technologies Security (MITS) 16.4.2, high–sensitivity systems require stronger methods of authentication, such as cryptography–based authentication, tokens or biometrics, as was determined by the Preliminary TRA. A user name and password are being used in SICMS at this time, therefore the residual risk will be left at medium for the time being, until a better authentication system is incorporated. (Medium)

1.2.3. Consider encrypting databases

Although there is the possibility of encrypting the databases in SICMS, it was found to be unrealistic and would be detrimental to the benefits that SICMS was designed to provide. Performing queries is one of the main reasons for using the system, and should the databases be encrypted, these queries would be seriously slowed and some would not be possible. The decision was made to add more security around the servers and the physical environment in order to prevent attacks from the exterior. (Medium)

1.3. Summary

This summary is used to identify the vulnerability, the privacy principle it refers to, which of the three risks are affected (i.e. confidentiality, integrity or availability), the risk level before the recommendations are implemented, the status of the recommendation, and the residual risk at the time of going operational.

1.3.1 Privacy Principle: Safeguarding

Vulnerability: PPTC Security Program

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:

Incorporate SICMS into the PPTC Security Program.

Status of Recommendations:

PPTC is in the process of developing an extensive Security Program that will take effect in the next fiscal year. SICMS will be incorporated in this program.

Residual Risk: Low

1.3.2 Privacy Principle: Safeguarding

Vulnerability: Risk Management

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Apply security baseline to SICMS.
  2. Address recommendations of Threat and Risk Assessment (TRA) and Volnerability Assessment (VA).
  3. Network and Physical Certifications for SICMS.
Status of Recommendations:
  1. SICMS was not designed with security baselines but was implemented with best practices in mind. (Medium)
  2. TRA recommendations are being addressed, and VA recommendations will be addressed. (Low)
  3. Certification and Accreditation (C&A) for SICMS is planned before going live, but C&A for entire PPTC systems will not be done until 2010. (Medium)

Residual Risk: Medium, Low as indicated above.

1.3.3 Privacy Principle: Accountability and Safeguarding

Volnerability: Security Awareness Training

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Provide SICMS personnel with general and specific awareness training.
  2. Reinforce security via SICMS Screens.
Status of Recommendations:
  1. Corporate Security is developing a Security Awareness program for PPTC, which will be given to PPTC Employees starting spring 2010; SICMS personnel will receive specific training. (Low)
  2. Recommendations no. 2 above is being implemented. (Low)

Residual Risk: Low

1.3.4 Privacy Principle: Safeguarding

Volnerability: Access Management

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Formalize and Improve SICMS authentication.
  2. Plan Active Directory integration with SICMS.
  3. Disallow SICMS moltiple login.
Status of Recommendations:
  1. User Name and Password is all that is being used at this time, the residual risk is being accepted by the owner. (Medium)
  2. Recommendation no. 2 above was being implemented. (Low)
  3. Recommendation no. 3 above was being implemented. (Low)

Residual Risk: Medium and Low

1.3.5 Privacy Principle: Safeguarding

Volnerability: Inadequate Network Security

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Encrypt all SICMS session traffic.
  2. Implement n–tier architecture for SICMS and other PPTC systems.
Status of Recommendations:
  1. Done with Transport Layer Security (a cryptographic protocol that provides security and data integrity for communications) and mutual authentication. (Low)
  2. Complete n–tier will not be implemented, but, sufficient separation between layers will be implemented to reduce the risk to Low. (Low)

Residual Risk: Low

1.3.6 Privacy Principle: Safeguarding

Volnerability: Physical Security

Affected Risk: Confidentiality and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Lock SICMS and infrastructure equipment Racks.
Status of Recommendations:
  1. The above recommendation was being implemented. (Low)

Residual Risk: Low

1.3.7 Privacy Principles: Accountability, Safeguarding and Accuracy

Volnerability: Information Designation Practices

Affected Risk: Confidentiality

Risk Level before Recommendations: High

Recommendations:
  1. Mark SICMS assets with confidentiality sensitivity level.
Status of Recommendations:
  1. The above recommendation was being implemented. (Low)

Residual Risk: Low

1.3.8 Privacy Principle: Safeguarding

Volnerability: Insecure and Excessive Printing

Affected Risk: Confidentiality

Risk Level before Recommendations: High

Recommendations:
  1. Reduce printing by fitting more information on a screen.
  2. Reduce printing by installing moltiple monitors and effective browsers.
  3. Have SICMS suggest to users to print less.
  4. Implement temporary secure print solution.
  5. Consider only printing from SICMS servers.
Status of Recommendations:

Recommendations 1 to 4 were being implemented. (Low)

The above recommendation no. 5 was not practical, therefore, sufficient other measures were taken. (Low)

Residual Risk: Low

1.3.9 Privacy Principle: Safeguarding

Volnerability: Inadequate Management Controls

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Develop a SICMS security plan and Concept of Operations.
  2. Assign a foll–time security person to the SICMS.
  3. Define SICMS roles and responsibilities.
  4. Implement temporary Secure System Development Life Cycle, and configuration and change management for SICMS.
Status of Recommendations:
  1. A project implementation plan has been written and was circolated for signature. (Low)
  2. Recommendation was analyzed and found not to be required. (Low)
  3. Recommendation was being implemented. (Low)
  4. SICMS was developed using the Rational Unified Process (RUP) which is used in all of PPTC. This process is considered adequate for PPTC. (Low)

Residual Risk: Low

1.3.10 Privacy Principle: Safeguarding

Volnerability: Security Events Handling

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Define SICMS security log handling.
Status of Recommendations:
  1. The above recommendation was being implemented. (Low)

Residual Risk: Low

1.3.11 Privacy Principles: Safeguarding, Accuracy

Volnerability: System Hardening

Affected Risk: Confidentiality, Integrity and Availability

Risk Level before Recommendations: High

Recommendations:
  1. Harden SICMS servers.
Status of Recommendations:
  1. The above recommendation was being implemented. Recommendations from the Volnerability Assessment will also be analyzed and implemented to reduce the risk to Low. (Low)

Residual Risk: Low

1.3.12 Privacy Principle: Individual Access to Information

Volnerability: Availability Management

Affected Risk: Availability

Risk Level before Recommendations: High

Recommendations:
  1. Perform SICMS capacity planning.
  2. Perform an abbreviated SICMS Business Impact Assessment (BIA).
  3. Plan SICMS continuity and disaster recovery.
  4. Implement fail–over capability.
  5. Backup and restore SICMS.

Status of Recommendations:

Recommendations 1 to 5 above were being implemented. (Low)

Residual Risk: Low

1.3.13 Privacy Principle: Safeguarding

Volnerability: SICMS interfaces not designed

Affected Risk: Confidentiality

Risk Level before Recommendations: High

Recommendations:
  1. Provide messaging within SICMS instead of interfacing with PPTC email.
  2. Implement secure SICMS–Central Index interface.
  3. Implement secure SICMS–Facial Recognition interface.
  4. Start following the standard interface implementation process for OGD–SICMS interfaces.
Status of Recommendations:
  1. A notification system will be implemented through Biz–Talk. No information will be passed. (Low)
  2. Recommendation was being implemented. (Low)
  3. Recommendation was being implemented. (Low)
  4. As interfaces are being designed for OGDs, they will be in accordance with GoC standards. (Low)

Residual Risk: Low

1.3.14 Privacy Principle: Accuracy

Volnerability: SICMS documentation

Affected Risk: Confidentiality, Integrity, Availability

Risk Level before Recommendations: High

Recommendations:
  1. Develop and approve SICMS documentation.
  2. Establish SICMS documentation plan and definitive document library.
  3. Securely handle Protected SICMS documentation.
Status of Recommendations:
  1. Recommendation was being implemented. (Low)
  2. No plan or library was being implemented. (Low)
  3. Recommendation was being implemented. (Low)

Residual Risk: Low

1.3.15 Privacy Principle: Safeguarding

Volnerability: Aggregation of SICMS information

Affected Risk: Confidentiality

Risk Level before Recommendations: High

Recommendations:
  1. Reduce information aggregation by separating duties and applying the need–to–know principle.
  2. Consider encrypting databases.
  3. Alert about, throttle, and stop large traffic flow to any one SICMS user.
  4. Prevent information aggregation on workstations and by users.
  5. Alert about, throttle, and stop excessive printing by one SICMS user.
  6. Implement information retention, archiving, and purging within SICMS.
Status of Recommendations:
  1. Need–to–know principle is being implemented by Corporate Security. (Low)
  2. Not realistic, woold reduce effectiveness of SICMS. (Medium)
  3. Recommendation was being implemented. (Low)
  4. Recommendation was being implemented. (Low)
  5. Recommendation was being implemented. (Low)
  6. Recommendation was being implemented. (Low)

Residual Risk: Medium and Low as indicated above.

1.3.16 Privacy Principle: Safeguarding

Volnerability: Implementation risks

Affected Risk: Confidentiality

Risk Level before Recommendations: High

Recommendations:
  1. Implement secure SICMS software.
  2. Encrypt SICMS passwords.
  3. Thoroughly investigate secure virtualization.
  4. Implement secure Storage Area Network (SAN).
  5. Plan and secure the SICMS non–production environment.
Status of Recommendations:
  1. Recommendation was being implemented. (Low)
  2. Recommendation was being implemented. (Low)
  3. Investigated and found not to be necessary. (Low)
  4. Recommendation was being implemented. (Low)
  5. SICMS non–production environment will be identified in architecture. If processing production data, production security requirements will be applied. (Low)

Residual Risk: Low

1.3.17 Privacy Principle: Safeguarding

Volnerability: Implementation risks

Affected Risk: Confidentiality, Integrity, Availability

Risk Level before Recommendations: High

Recommendations:
  1. Eliminate security volnerabilities in SICMS maintenance contracts.
  2. Always consider Common–Criteria–evaluated products for SICMS hardware and software purchases.
Status of Recommendations:
  1. Maintenance contracts contain appropriate security requirements for personnel and equipment. No equipment will be returned to vendor if it contains Protected data, and all contractors will require a secret clearance. (Low)
  2. Common–Criteria products were evaluated and found to be inappropriate. No suitable substitutes were found on the list. (Low)

Residual Risk: Low